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QUADRATIC RESIDUES AND DIFFERENCE SETS 


VSEVOLOD F. LEV AND JACK SONN 

Abstract. It lias been conjectured by Sarkozy that with finitely many exceptions, 
the set of quadratic residues modulo a prime p cannot be represented as a sumset 
{a + b : a £ A, b £ B} with non-singleton sets A,BC F p . The case A = B of this 
conjecture has been recently established by Shkredov. The analogous problem for 
differences remains open: is it true that for all sufficiently large primes p , the set of 
quadratic residues modulo p is not of the form {a' — a": a', a" £ A, a' A a"} with 
A C F p ? 

We attack here a presumably more tractable variant of this problem, which is 
to show that there is no A C F p such that every quadratic residue has a unique 
representation as a * 1 — a" with a', a" £ A , and no non-residue is represented in 
this form. We give a number of necessary conditions for the existence of such A , 
involving for the most part the behavior of primes dividing p— 1. These conditions 
enable us to rule out all primes p in the range 13 < p < 10 18 (the primes p = 5 and 
p = 13 being conjecturally the only exceptions). 


1. Background and Motivation 

Sarkozy [Sal2] conjectured that the set 1Z P of all quadratic residues modulo a 
prime p is not representable as a sumset {a + b: a E A, b £ B}, whenever A, B CF p 
satisfy min{|A|, |B|} > 1. Shkredov [Shl4] has recently established the particular 
case B = A of this conjecture, showing that {a' + a": a', a" 6 A} / 1Z P , except if 
p = 3 and A = {2}. He has also proved that 7 Z p cannot be represented as a restricted 
sumset: {a' + a": a', a" E A, a' ^ a"} ^ 1Z P for A C F p , with several exceptions for 
p < 13. 

The argument of [Shl4] does not seem to extend to handle differences (instead of 
sums) and to show that 

{a' - a": a', a" / a"} ^U p , AC F p . (1) 

We notice that for equality to hold in (1), one needs to have 2(^) > \TZ P \, which 
readily yields 

Ml > VpA- (2) 
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At the same time, there is a famous, long-standing conjecture saying that for every 
e>0, if A C F p has the property that a' — a" G 1Z P for all o', a" G A with a' a", 
then 

|A| < f (3) 

provided that p is sufficiently large. (We refer the reader to [Shl4] for several more 
related conjectures and discussion.) Combining (2) and (3), one immediately derives 
that (1) is true for all but finitely many primes p. 

Unfortunately, the conjecture just mentioned is presently out of reach, and nei¬ 
ther could we prove (1). As a step in this direction, we investigate the following, 
presumably easier, problem: 

Does there exist a subset ACF f such that the differences a' — a" with 
a', a" G A, o' f a”, list all quadratic residues modulo p, and every 
quadratic residue is listed exactly once? 

Even this question does not eventually receive a complete answer. However, we were 
able to establish a number of necessary conditions, and use them to show that in the 
range 13 < p < 10 18 , there are no “exceptional primes”. This makes it extremely 
plausible to conjecture that no such primes exist at all, with just two exceptions p = 5 
and p = 13 addressed below. 


2. Summary of Results 

In this section we introduce basic notation and present our results. Most of the 
proofs are postponed to subsequent sections; see the “proof locator” at the very end 
of the section. 

Recall, that for a prime p we denote by F p the finite held of order p, and by 7 Z p the 
set of all quadratic residues modulo p. We also denote by J\f p the set of all quadratic 
non-residues modulo p, to have the decomposition ¥ p = 1Z P U Af p U {0}. 

For subsets A and S of an additively written abelian group, the notation A — A = S 
will indicate that every element of S has a unique representation as a difference of 
two elements of A and, moreover, every such non-zero difference belongs to S. (In 
onr context, the underlying group is always the additive group of the held F p , and S 
is one of the sets 1Z P and Af p .) Onr goal is thus to show that, with few exceptions, 

A- A = U P (4) 

does not hold. 

One immediate observation is that for (4) to hold, letting n := |A|, one needs to 
have n(n — 1) = that is, p = 2 n(n — 1) + 1. As a result, p = 1 (mod 4) — a 
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conclusion which also follows by observing that the set of all differences a' — a" is 
symmetric, whence 7 Z p must be symmetric too. 

Experimenting with small values of p, one finds two remarkable counterexamples 
to (4): namely, the sets A 5 := {2,3} C F 5 and A 13 := {2,5,6} C F 13 . Clearly, all 
affinely equivalent sets of the form {pa + c: a G A p }, where p G 7 Z p and c G F p are 
fixed parameters (and p G {5,13}) work too, and it is not difficult to see that no 
other sets A satisfying (4) exist for p < 13; indeed, we believe that there are no more 
such sets at all. 

What makes the two sets A 5 and A 13 special? An interesting feature they have in 
common is that both of them are cosets of a subgroup of the multiplicative group of 
the corresponding field; indeed, A 33 is a coset of the subgroup {1,3,9} < F* 3 , while 
A 5 is a coset of the subgroup {1,4} < F£. In addition, A 5 is affinely equivalent to 
the set {0,1}, which is a union of 0 and a subgroup of F 3 . Our first two theorems 
show that constructions of this sort do not work for p > 13. 

Theorem 1. For a prime p > 13, there is no coset A = gH, with H < F x and 
g G F^, such that A — A = 7Z p . 

Theorem 2. For a prime p > 5, there is no coset gH, with H < F p and g G ¥ p , 
such that, letting A := gH U {0}, we have A — A = 7 Z p . 

For integer p and a subset A of an additively written abelian group, by pA we 
denote the dilate of A by the factor of p: 

pA := {pa: a G A}. 

Extending slightly one of the central notions of the theory of difference sets, we say 
that p is a multiplier of A if p is co-prime with the exponent of the group, say e, 
and there exists a group element g such that pA = A + g. Clearly, in this case every 
integer from the residue class of p modulo e is also a multiplier of A. This shows that 
the multipliers of a given set A can be considered as elements of the group of units 
(Z/eZ) x , and it is immediately seen that they actually form a subgroup; we denote 
this subgroup by M A , and call it the multiplier subgroup of A. 

It is readily seen that all translates of a subset A of an abelian group have the same 
multiplier subgroup. If, furthermore, |A| is co-prime with the exponent e of the group, 
then there is a translate of A whose elements add up to 0. Denoting this translate by 
Ao and observing that pAo = Aq + g implies g — 0 (as follows by comparing the sums 
of elements of each side), we conclude that if gcd(|A|,e) = 1, then A has a translate 
which is fixed by every multiplier p G M A ■ 
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Here we are interested in the situation where the underlying group has prime order. 
In this case, every subset A has a translate hxed by its multiplier subgroup M A . This 
translate is then a union of several cosets of M A and, possibly, the zero element of the 
group. Consequently, using multipliers, Theorems 1 and 2 can be restated as follows: 
if p > 13 and A C ¥ p satisfies A — A = 7 Z p , then choosing g e ¥ p so that the elements 
of the translate A — g add up to 0, the set (A — g) \ {0} is a union of at least two 
cosets of M A . 

Our next result shows, albeit in a rather indirect way, that “normally”, a set A C F p 
satisfying A — A = IZ p must have a large multiplier subgroup. 

For a prime p = 1 (mod 4), let G p denote the greatest common divisor of the orders 
modulo p of all primes dividing 2^: 

G p := gcd {ordp(g): q | q is prime} . 

Theorem 3. If p is a prime and 4CF p satisfies A — A = 7 Z p , then the multiplier 
subgroup M A lies above the order-G p subgroup o/F*; equivalently, \M A \ is divisible 
by G p . 

The quantity G p is difficult to study analytically, but one can expect that it is 
usually quite large: for, if r v \ p — 1 with r prime and v > 0 integer, then in order for 
r v not to divide G p , there must be a prime q \ which is a degree-r residue modulo 
p, the “probability” of which for every specific q is 1/r. Computations show that, for 
instance, among all primes p < 10 12 of the form p = 2 n(n — 1) + 1, there are less than 
1.4% those satisfying G p < yfp. 

Recalling that A — A = 7 Z p implies p = 2 n(n — 1) +1 with n — \A\ , from Theorem 3 
and in view of Theorems 1 and 2 we get 

Corollary 1. Suppose thatp is a prime. If there exists a subset 4CF P with A — A = 
7 Z p then, writing p = 2 n(n — 1) + 1, either G p is a proper divisor of n, or G p is a 
proper divisor of n — 1. 

To give an impression of how strong Corollary 1 is, we remark that it sieves out 
over 99.7% of all primes p = 2 n(n — 1) + 1 with p < 10 12 . 

For integer k > 1, let denote the k th cyclotomic polynomial. Yet another useful 
consequence of Theorem 3 is 

Corollary 2. Let p be a prime, and suppose that there exists a subset 4CF P with 
A — A = 7 Z p . If an element z G ¥ p and an integer k > 2 satisfy ord p (^) f k and 
ordp(z) | G p , then < F/ C (^) G 7 Z p . 
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The practical implication of Corollary 2 is that if we can find a residue z G F p of 
degree and an integer k > 2 such that z k ^ 1 and ^(z) G M p , then there is no 

set A C F p with A — A = 1Z P . 

To prove Corollary 2, denote by H the order-G' p subgroup of F*, and consider the 
differences h' — h" with hi, h" G H , h' ^ h". By Theorem 3, either all these differences 
are quadratic residues, or they all are quadratic non-residues. If ord p (^) | G p and 
ordp(^) \ k, then both z and z k are non-unit elements of H, and consequently either 
both z — 1 and z k — 1 are quadratic residues, or they both are quadratic non-residues. 
In either case, 

n e K ” 

d\k 
d> 1 

and the claim follows by induction on k. 

It is somewhat surprising that if a set A C F p with A — A = 7 Z p exists, then all 
orders ord p (g) appearing in the definition of the quantity G p are odd. 

Theorem 4. Letp be a prime. If there exists a subset A C F p satisfying A — A = 7 Z p , 
then for every prime q \ the order ord p (g) is odd. 

Corollary 3. Letp be a prime. If there exists a subset A C F p satisfying A — A = 1Z P , 
then writing p = 2 n(n — 1) + 1 we have n = 2 (mod 4) or n = 3 (mod 4); hence, 
p = 5 (mod 8). 

To derive Corollary 3 from Theorem 4, observe that if we had n = 0 (mod 4) or 
n = 1 (mod 4), then were even and, consequently, and p — 1 would have same 
prime divisors. As a result, all prime divisors of p — 1 would be of odd order modulo 
p, which is impossible as p — 1 itself has even order. 

Using a biquadratic reciprocity law due to Lemmermeyer [LeOO], from Theorem 4 
we will derive 

Theorem 5. Let p be a prime. If there exists a subset A C F p satisfying A —A — 7Z P 
then, writing p = 2 n(n — 1) + 1, neither n nor n — 1 have prime divisors congruent 
to 7 modulo 8. Moreover, of the two numbers n and n — 1, the odd one has no prime 
divisors congruent to 5 modido 8, and the even one has no prime divisors congruent 
to 3 modulo 8. 

Computations show that there are very few primes passing both the test of Corol¬ 
lary 1 and that of Theorem 5. In the range 13 < p < 10 18 , there are only five such 
primes, corresponding to the values of n listed in the following table: 
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n 

h 

(n - S)/G p 

n — 1, n 

51 

1 

2 

2 • 5 2 , 3-17 

650 

0 

2 

11-59, 2 • 5 2 • 13 

32283 

1 

2 

2 • 16141, 3 2 • 17-211 

57303490 

1 

3 

3 • 1579 • 12097, 2 • 5 • 5730349 

377687811 

0 

3 

2 • 5 • 17 • 113 • 19661, 3 • 1787 • 70451 


Fig. 1. The second column gives the value of <5 € {0,1} such that G p \n — 6, 
the last column contains the prime decompositions of n — 1 and n. 

Every individual value of n in the table is easy to rule out using Corollary 2. For 
instance, the first exceptional value n = 51 corresponds to the prime p = 5101; since 
(5101 — 1)/(j5ioi = 204, applying Corollary 2 with k = 2 we conclude that if A C F 5101 
satisfying A — A = 77-5 ioi existed, then every degree-204 residue z G ¥ p with z 2 1 
would satisfy 2 + 1 6 7Z 5 i 0 i; this conclusion, however, is violated for z = 2 204 . 

The remaining four exceptional cases can be dealt with in an analogous way; say, 
one can take z = 2 ( - p ~ 1 ^ Gp for n = 650 and n = 377687811, and z = ?fi p - r )/ G P for 
n = 32283 and n = 57303490 (with k — 2 in each case). We thus conclude that there 
are no primes 13 < p < 10 18 for which 4CF p with A — A = 7 Z p exists. 

Theorem 4 will be derived as a straightforward corollary of the Semi-primitivity 
Theorem from the theory of difference sets. Recall, that for positive integer v, k, and A, 
a (v, k, A) -difference set is a /e-element subset of a u-element group such that (assuming 
additive notation) every non-zero group element has exactly A representations as a 
difference of two elements of the set. The following somewhat unexpected claim shows 
how difference sets come into the play, and allows us to apply the well-established 
machinery of difference sets in our problem. 

Claim 1. Suppose that p is a prime and A C F p satisfies A — A = 1Z P . Write 
n := |Al| and fix arbitrarily a quadratic non-residue v e Af p . Then the n 2 sums 
a' + ua" with a', a" G A are pairwise distinct, and the set D of all these sums is a 
(p,n 2 ,n(n + 1)/2) -difference set in F p . 

We remark that the Multiplier Conjecture [La83, Conjecture 6.7] along with Claim 1 
lead to a conclusion much stronger than Corollary 1: namely, if there is a subset 
4CF p with A — A = U p , then, writing p = 2 n(n — 1) + 1, the least common multiple 
lcm {ordp(g): q \ 2^-} is a divisor of either n or n — 1 . 

On a historical note, it was Broughton [B95] who Erst used biquadratic reciprocity 
to study (2 n(n — 1 ) + 1 , n 2 , n(n + l)/ 2 )-difference sets. 

Our last result is a lemma which is used in the proof of Theorems 1 and 2, and 
which we believe is also of independent interest. 
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Lemma 1. If p > 5 is a prime and A C ¥ p satisfies A — A = 7Z p , then \Ma\ is odd; 
that is, — 1 ^ Ma- 

The rest of the paper is devoted to the proofs of the above-discussed results. We 
prove Lemma 1 in the next section, and Theorems 1 and 2 in Section 4. In Section 5 
we prove Claim 1, present the Semi-primitivity Theorem, and derive Theorem 4. In 
Section 6 we state Lemmermeyer’s biquadratic reciprocity law and prove Theorem 5. 
Theorem 3 is proved in Section 7; the proof uses some basic algebraic number theory. 
Finally, in the Appendix we give an equivalent restatement of the problem studied in 
this paper in terms of algebraic number theory. 


3. \M a \ is odd: the proof of Lemma I 


Suppose that p is a prime and A C F p satisfies A — A = 77 p ; we want to show that 
the multiplier subgroup Ma < F* has odd order. 

For a subset S C F p and integer j > 0, let 

s£S 

subject to the agreement that if 0 £ S' and j = 0, then the corresponding summand 
is equal to 1 (so that cr 0 (S) = |S|). For every 1 < k < (p — l)/2 we have 

T (a' - a"f =Y, x “ = °i 

a',a"£A x£lZ p 


expanding the binomial and changing the order of summation, we get 

(5) 

3=0 


Write m := \Ma\- Having A suitably translated, we can assume that A \ {0} is a 
union of cosets of Ma, and let then C be the set of arbitrarily chosen representatives 
of these cosets. We distinguish two cases. 

Suppose first that 0 ^ A. In this case crfiA) = a J {C)a 3 (Ma) and 


<Tj{M A ) = 


m if m | j, 

0 otherwise, 

whence (5) is non-trivial only if m \ k , and in this case (with a minor change of 
notation) it can be re-written as 

k 


B-a 

3=0 


jm 


j r ^ a 3 m i ( ^) (7 {k-j)rn{C) — 0, 0 < k < • 


( 6 ) 
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Taking k — 1 gives (1 + (— l) m )a 0 (C)a m (C) = 0, and if m were even (contrary to the 
assertion of the lemma) then, in view of a 0 (C) = \C\ ^ 0, we would have a m {C) = 0. 
Furthermore, we could then re-write (6) as 


2\C\a km (C) 



m (C) cr (fc-j) m (C), 


and substituting subsequently k = 2,3,... we conclude that (Jkm(C) = 0 whenever 
0 < k < (p — 1)/(2 m). Equivalently, the \C\ elements c m (c G C) have the property 
that the sum of their kth powers vanish for all 0 < k < (p — l)/(2m); hence for all 
0 < k < \C\ in view of 

= \ A \ _ n_ < n{n - 1 ) = p- 1 
\Ma\ m m 2 m 

(we use here our standard notation: n = |A| and p = 2 n(n — 1) + 1. Notice that this 
estimate uses the assumption p > 5.) As a result, all these elements, and therefore 
also all elements of C, are equal to 0, a contradiction establishing the assertion in the 
case 0 ^ A. 

Turning to the situation where 0 G A, we write Ao := A \ {0} and notice that 
in this case cr 0 (A) = |A| = m\C\ + 1 and crj(A) = <Jj(A 0 ) = aj(C)aj(MA) for every 
j > 0; as a result, 

{ m\C\ + 1 if j = 0, 
m<jj(C) if m | j and j > 0, 

0 if m\j. 

Hence, assuming that m is even, from (5) we get 


2{m\C\ + 1) • ma km (C) 


= —m 



(C)^(fc—J) m (C), 


0 < k < 


p — 1 

2 m 


Now taking k — 1 yields u m {C) = 0, and then subsequently cr km (C) = 0 for each 
0 < k < (p — l)/(2m), leading to a contradiction exactly as above. 

This completes the proof of Lemma 1. 


4. Proofs of Theorems 1 and 2: One Coset is not Enough 


For a prime p, let Xp denote the quadratic character modulo p extended onto the 
whole field ¥ p by x p (0) = 0. We need the following well-known identity (which is 
equivalent, for instance, to [IR90, Chapter 5, Exercise 8]): 


X P (( X + a){x + b)) 

X&p 


p — 1 if a = b, 
— 1 if a ^ b, 


a,b G F p . 


( 7 ) 
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Recall, that we are interested in the situation where p = 1 (mod 4), in which case 
Xp(~ 1) = 1; equivalently, x p (— x) = Xp( x ) f° r all x £ F p . 

Proof of Theorem 1. Clearly, it suffices to show that for p > 13 prime and H <¥*, 

one cannot have H — H = 1Z P or II — II — Af p . For a contradiction, suppose that 
one of these relations holds true. Write n := \H\, so that p = 2n(n — 1) + 1. From 
Lemma 1 (as applied to a suitable coset of H in the case H — H = A/),), we know that 
n is odd, implying —1 f H ; hence, H is disjoint with —H := {— h: h G H}. 

For any h i, h 2 G H with h\ /q, either both — /u| and hi — /q are quadratic 
residues, or they both are quadratic non-residues. In either case, their quotient hi + /i 2 
is a quadratic residue; that is, 

Xp(h 1 + hf) = 1, hi, h 2 G H, hi 7 ^ h 2 - ( 8 ) 

We distinguish two cases, according to whether H — H = lZ p or H — H = Ap. 
Suppose hrst that H — H = 1Z P , and let in this case 

:= (x P (® + h) + Xp( x ~h)), x G F p . 

heH 

In view of ( 8 ) and our present assumption H — H = 1Z P , for each x G H we have 

cr(x) > (n — 2) + (n — 1) = 2 n — 3. 

Along with cr(—x) = cr(x ) (following from p = 1 (mod 4) and y p (—1) = 1 resulting 
from it), this yields 

<t 2 (t) > 2n(2n — 3) 2 . (9) 

xeHu(-/f) 

On the other hand, the sum extended over all x &F P can be computed explicitly: 
J^o- 2 (a;) = ^ ^2 (x P ( x + h) + x P (x ~ h)) (x P (x + h 2 ) + X P {x ~ h 2 )) 

xGF p x£V v h\,h,2&H 

= X] ^2 {x P (( x + hi)(x + h 2 )) + Xp((x - - h 2 )) 

htM&H x& p 

+ X P (( X + hi)(x - h 2 )) + x P (( x ~ hi)(x + h 2 ))) 

= 2pn — 4n 2 

= 2n(2n 2 - 4n + 1), ( 10 ) 

as it follows from (7) and since hi 7 ^ —h 2 whenever hi, h 2 G H in view of —1 ^ H. 
Comparing (9) and (10) we conclude that 2n(2n — 3 ) 2 < 2n(2n 2 — 4n + 1), which 
simplifies to (n — 2 ) 2 < 0 and thus yields n = 2, contrary to the assumption p > 13. 
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Addressing now the case where H — H = Af p , we re-define the sum cr(x) letting this 
time 

cr(x ) := Y {x P (x + h) - x p (x -h)), x G F p . 

heH 

In view of (8) and the assumption H — H = J\f p , we have again 
a(x) > ( n — 2) + (n — 1) = 2n — 3, x G H. 

Since a(—x) = —a(x), we derive that 

^ v 2 (x) > 2n(2n — 3) 2 . 

x£HU(-H) 

On the other hand, a computation similar to (10) gives 

^ <x 2 (x) = 2 pn = 2n(2n 2 — 2n + 1). 

x&V p 

As a result, 2n(2n — 3) 2 < 2n(2n 2 — 2n + 1), leading to n < 4. To complete the 
proof we notice that n < 3 correspond to p < 13, while n — 4 yields p = 25, which is 
composite. □ 

Proof of Theorem 2. The proof is a variation of that of Theorem 1. 

Aiming at a contradiction, suppose that p > 5 is prime, H < F*, g e F*, and 

A := gH U {0} satisfies A — A = 7 Z p . Since g is representable as a difference of two 
elements of A, we have g G 7Z P , and dilating A by the factor g~ l we can assume that, 
indeed, g — 1; that is, A — H U {0}. 

Write n := |A|, so that p = 2n(n — 1) + 1 and \H\ = n — 1. From Lemma 1, we 
know that |iL| is odd, whence —1 f H and therefore H is disjoint with —H. 

For any h G H and a\,ci 2 G A with a\ a 2 , both a\h — azh and ai — 02 are 

quadratic residues, and so must be their quotient h: thus, 

X P (h) = 1, heH. (11) 

Similarly, 

Xp(h 1 + ^ 2 ) = f 5 hi, h 2 e H, h\ h 2 (12) 

in view of h\ + h 2 = ( h\ — h\)/{h\ — h 2 ). 

Let 

°~( x ) : = Y (Xp( x + a ) + X P (x - a)), x e F p . 

a£A 

From (11) and (12), and since A — A = 1Z P , we have 

a(x) > (n — 2) + (n — 1) = 2n — 3, x G H 
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and 

cr(0) = 2(n — 1). 

Observing that <r(— x) = a(x) we derive that 

Y a2 ( x ) > 2 ( n - l )( 2n ~ 3 ) 2 + 4 ( n - x ) 2 = 2 ( n - !)( 4 ^ 2 - 10n + 7). 

l£-ffU(-iI)U{0} 

On the other hand, a computation similar to (10) gives 

^ o- 2 (t) = 2(n + l)p — 4n 2 = 2(n — l)(2n 2 — 1). 

xGW p 

As a result, 4n 2 — lOn + 7 < 2 n 2 — 1, implying n < 4. The assumption p > 5 now 
gives n = 3; consequently, p — 13 and \H\ = 2, whence H = {1,-1}. However, the 
set A = {0,1, —1} C F 13 does not have the property A — A — 77i 3 . □ 

5. Proofs of Claim 1 and Theorem 4 

Proof of Claim 1. To see that the sums a' + ua” are pairwise distinct, we notice that 
a\ + ua” = a 2 + ua” with (a), a”) ^ (a' 2 , a”) would result in u = ( a\ — a 2 )/(a 2 — a”), 
while for a\, a”, a 2 , a 2 G A, both the numerator and the denominator are quadratic 
residues in view of A — A = 1Z P . 

ft remains to show that every non-zero element of F p has exactly n{n + l)/2 rep¬ 
resentations as a difference of two elements of the set D := {a 1 + ua ”: a', a” G A}. 

Let C be a fixed primitive root of unity of degree p, and denote by IK the pth 
cyclotomic field; that is, ( ^ ( p = 1 and IK = Q[C]- Write a := ^ agA C a > so that 
A — A = Tl p yields 

|a| 2 = n + p, (13) 

where _ 

( i4) 

xen p 

is a quadratic Gaussian period (see, for instance, [D82, Chapter 3,]). 

Set S := ^ deD ( d ; thus, 

4 = E U' ■ E C“" = <*AH, (15) 

a'eA a"£A 

with p G Gal(lK/Q) dehned by p(() = Let r G Gal(IK/Q) denote the complex 
conjugation automorphism. Since Gal(lK/Q) is abelian ([1R90, Chapter 13, §2, Corol¬ 
lary 2] or [M77, Page 18, Corollary 2]), we have 

AH 2 ) = p(aT(a)) = (p(a)r(ip(a)) = |<4(o)| 2 . 


( 16 ) 
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From (13)-(16) and 

x£lZp x&Afp xGTZp 

we obtain 

|5| 2 = HXa)| 2 = HV(H 2 ) 

/ w 1 x n(n-l) n(n +1) ^ 

= (n + p)(n-l-p) = = \D\ + 2^ C x - 

a;£Fp 

Comparing this equality with 

IV = |B| + E r MC, 

x£F£ 

where r(x) is the number of representations of x as a difference of two elements of D , 
we conclude that r(x) = n(n + l)/2 for every x G F*. □ 

We remark that the second assertion of Claim 1 can also be proved using the 
group ring approach. Namely, identifying subsets A, D, 1Z P , Af p , F* C ¥ p with the 
corresponding elements of the group ring ZF p , we have 

D = AA (l/ \ AA ( ~ 1} = n + IZ P , = Af p , and 1Z P M P = n{ " ~ 1} F p , 

the last equality reflecting the well-known fact that for p = 1 (mod 4), every element 
of has exactly T -^~ representations as a sum of quadratic residue and a quadratic 
non-residue. Hence, we have the chain of group ring equalities 

DD { ~ 1) = AA^A^A^ = (n + n p )(n + Tl p ) {u) 

^ w . r \ 9 n{n — 1) 9 n(n + 1) 

= (n + 7 Z p ) (n + J\fp) — n + n¥ p -| —-F p — n H --F p , 

proving the assertion. 

We now state the part of the Semi-primitivity Theorem that is relevant for our 
purposes. For co-prime integer q,e > 1, by (q) e we denote the subgroup of (Z/eZ) x , 
multiplicatively generated by q. 

Theorem 6 ([La83, Theorem 4.5]). Suppose that G is a finite abelian group of expo¬ 
nent e. If G possesses a (■v , k, X) -difference set, then for any prime q with q \ k — X 
and q\ e, we have —1 ^ (q) e . 


To deduce Theorem 4 from Theorem 6, we apply the latter to the set D of Claim 1. 
Since 

2 n(n + 1) n(n — 1) p — 1 


2 


2 
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we conclude that if q \ is prime, then (q) p is an odd-order subgroup of F*; that 
is, ordp(g) is odd. This proves Theorem 4. 


6. Bi-quadratic reciprocity and the Proof of Theorem 5 


The proof of Theorem 5 relies on Lemmermeyer’s biquadratic reciprocity law. To 
state it, we recall that the rational biquadratic residue symbol is defined for prime 
p = 1 (mod 4) and quadratic residue b G 7 Z p by 


f b\ Jl if b is a biquadratic residue modulo p, 

\p J 4 [ — 1 if b is not a biquadratic residue modulo p. 


P —f 

Notice, that ( b/p) A = b~ (mod p) implies multiplicativity of the rational biquadratic 
residue symbol. 

For consistency, in this section we use the Legendre symbol (-/p) for the quadratic 
character modulo p (which was denoted Xp(') dr Section 4, mostly for typographical 
reasons). 


Theorem 7 ([LeOO, Proposition 5.5]). Suppose that p = 1 (mod 4) is prime, and 
write p = u 2 + v 2 with u odd and v even. Suppose also that q > 2 is a prime 
with ( p/q ) = 1, and let c be an integer such that c 2 = p (mod q). Finally, let 
q* := (—l)^ -1 )/ 2 ^ so that ( q*/p ) — 1 by multiplicativity of the Legendre symbol and 
the quadratic reciprocity law. Then 


p 


4 


( c(v+c) 



if q\v + c, 

if q I v + c. 


We remark that, strictly speaking, the case where q \ v + c is not addressed in 
[LeOO], but it is easy to deduce from the case where q \ v + c. For, if q \ v + c, then 
q \ v — c in view of q \ c, and applying then the original Lemmermeyer’s theorem with 
c replaced by —c, we get 

(a -UW-PPH;) 

Proof of Theorem 5. Suppose that p is a prime and A C ¥ p satisfies A — A = 7 Z p ; 
thus, p = 2 n(n — 1) + 1 where n := |AL|. From Corollary 3, we have p = 5 (mod 8), 
whence 

(Lb) i = (-l) £ i 1 = -l. (17) 

Let u and v denote the odd and the even of the two numbers n — 1 and n, re¬ 
spectively; notice that this is consistent with the notation of Theorem 7 as p = 
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(n — l) 2 + n 2 = u 2 + v 2 . Since p = 5 (mod 8), a prime g divides if and 

only if it is odd and divides either u, or v. In this case p = 1 (mod g), and we apply 
Theorem 7 with c = 1 to obtain 



4 


if g { u + 1, 

(f) if g I v + 1, 


(18) 


where g* := (—l)*d 1 ^ 2 q. On the other hand, Theorem 4 shows that g is a biquadratic 
residue modulo p, and therefore using (17) we get 


v)i V P /4VP/4 



(19) 


From(18) and (19), 


and 


v + 1 



if q \ v + 1, 



(t) if 9 1 ” +l 


( 20 ) 

( 21 ) 


If q | v, then the former of these equalities immediately gives q G {1,5} (mod 8). If 
q | u, we distinguish two further sub-cases: q \ v + 1 and q \ v + 1. If q \ v + 1, then 
(21) gives q G {1,3} (mod 8). If q \ v + 1, then u G {v — l,u + 1} along with our 
present assumption q \ u show that u — v — 1; thus, q \ v — 1, and (20) leads to the 
same conclusion q G {1,3} (mod 8) as above. 

We have shown that for a prime q > 2, if q divides the even of the two numbers 
n — 1 and n, then q = 1 (mod 8) or q = 5 (mod 8), and if q divides the odd of 
these two numbers, then q = 1 (mod 8) or q = 3 (mod 8). Thus is equivalent to the 
assertion of Theorem 5. □ 


7. Proof of Theorem 3: M A lies above the order-G p subgroup of 

In this section and the Appendix we use several basic algebraic number theory 
facts, such as for instance: 

i) the Galois group of the mth cyclotomic field is isomorphic to the group of 
units (Z/mZ) x ; hence, it is abelian; 

ii) if p and q are distinct odd primes, then, letting / := ord p (g), the principal 
ideal (g) in the pth cyclotomic field splits into a product of (p — l)/f pairwise 
distinct prime ideals, all of which are fixed by the order-/ subgroup of the 
corresponding Galois group; 
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iii) Kronecker’s theorem: an algebraic integer all of whose algebraic conjugates 
lie on the unit circle is a root of unity; consequently, any cyclotomic integer 
of modulus 1 is a root of unity; 

iv) if m is odd, then the only roots of unity of the mth cyclotomic held are the 
roots of degree 2m. 

The proofs can be found in any standard algebraic number theory textbook, as [IR90] 
or [M77], 

Proof of Theorem 3. Suppose that p is a prime and A C ¥ p satisfies A — A = 1Z P . 
Write n := |A|, so that p = 2 n(n — 1) + 1. Let ( be a primitive root of unity of degree 
p, and denote by IK the p tli cyclotomic held (thus, IK = Q[C]), and by O the ring of 
integers of IK. As in the proof of Claim 1, write a := CA so that a G O and 

\a\ 2 — n + p (22) 

with 

P := £ <* = ( 23 ) 

x£lZp 

ft is well known that every rational prime q ^ p splits in O into a product of 
(p— 1)/ordp(g) pairwise distinct prime ideals, all of which are hxed by the subgroup 
of Gal(IK/Q) of order ord p (g). The intersection of these subgroups over all primes 
q | is the subgroup H < Gal(K/Q) of order \H\ — G p , and since, by (22), a is a 
divisor of n + p, which in turn is a divisor of = (ri + p)(n — 1 — p), we conclude 
that the ideal generated by a is hxed by H. Hence, for every automorphism (p e H 
there exists a unit u G O (depending on p) such that 

p(a) = ua. (24) 

Since p is a quadratic residue modulo every odd prime q dividing p— 1, by quadratic 
reciprocity, q is a quadratic residue modulo p\ that is, q~^~ = 1 (mod p). This shows 
that ordp(g) is a divisor of (p — l)/2. As a result, G p divides (p — 1)/2; that is, H 
is contained in the subgroup of order (p — l)/2, which is easily seen to have 
as its hxed held. Therefore, re-using equality (16) from the proof of Claim 1 and in 
view of (22), for every automorphism tp G H we have 

\p{a)\ 2 = p(\a\ 2 ) = n + p = |a| 2 . 

Comparing this with (24), we conclude that |«| = 1. From the fact that Gal(K/Q) 
is abelian it follows then that all algebraic conjugates of u have modulus 1, and by 
Kronecker’s theorem u is a root of unity; thus, either u = ( v , or u = — with some 
v G F p depending on tp. The latter option is ruled out by considering traces from IK to 
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Q: we have tr(<^(a)) = tr(a) and tr(— Cfa) = — tr(a) (mod p), while tr(a) = — n ^ 0 
(modp). Therefore, 

c p(a ) = C v oc ; p G if, v — v(p) G F p . (25) 

Recalling the dehnition of a and identifying Gal(K/Q) with F p , we can interpret 
(25) as saying that for every p E H < F*, there exists v = v(p) G F p such that the 
dilate pA = {pa: a G A } satisfies pA — A + v; that is, p is a multiplier of A. □ 

Appendix: An algebraic number theory restatement 

We aim here to pursue a little further the algebraic approach that was employed 
in the proofs of Claim 1 and Theorem 3, in the hope that it can ultimately give more 
insights into the problem. We keep using the notation introduced in these proofs: 
namely, given a prime p, we denote by £ a fixed primitive root of unity of degree p, by 
IK the p tli cyclotomic held, by O the ring of integers of IK, and we let p := {y/p— 1)/2. 
By tr we denote the trace function from IK to Q. Our goal is to prove the two following 
results. 


Proposition 1. Let p be a prime number. For a subset A C F p with A — A = 7 Z p to 
exist, it is necessary and sufficient that p = 2 n(n — 1) + 1 with an integer n, and that 
there is an algebraic integer a G O such that \a\ 2 — n + p and tr(a(~ k ) G {—n,p — n} 
for every integer k. 


Proposition 2. Let p be a prime of the form p = 2 n(n — 1) + 1 with n an integer. 
For an algebraic integer a G O with \a\ 2 = n + p to exist, it is necessary and sufficient 
that for every prime q dividing p — 1 to an odd power, the order ord p (g) is odd. 

To prove Proposition 1, we need 

Lemma 2. Let p be a prime and n G [1 ,p — 1] an integer. In order for a G O to 
satisfy tr(a(( -A: ) G {— n,p — n} for every integer k, it is necessary and sufficient that 
a = ( a > where A is an n-element subset of F p . 


Proof. It is readily seen that the condition is sufficient: if a 
and | A | — n, then 


tr(«C" fc ) 


—n if k ^ A, 
p — n if k G A. 


EaeA C a with A c F p 


To prove necessity, write a = ^ xgIFp a x ( x with integer coefficients a x . For every k G Z 
we have then 

tr(«C fc ) = ~ ^ a x 



QUADRATIC RESIDUES AND DIFFERENCE SETS 


17 


(where k in the right-hand side is identified with its canonical image in F p ), and the 
assumption tr(aC -fc ) G {— n,p — n} implies that the coefficients a x attain at most two 
distinct integer values. Since adding simultaneously the same integer to all a x does 
not affect the value of the sum ^ ^ a x ( x , we can assume without loss of generality 
that actually at most one value assumed by a x is distinct from 0; hence, writing 
A := {x G ¥ p : a x 0}, there is an integer c such that 

« = cJ]C a - (26) 

aeA 

In fact, the subset A C F p is proper and non-empty and c ^ 0, as otherwise we 
would have a = 0 which is inconsistent with tr(af~ k ) G {— n,p — n}. Consequently, 
(26) implies that tr(a() -fc ) assumes exactly two distinct values, both divisible by c. 
Observing, on the other hand, that gcd(— n,p — n) = gcd (n,p) = 1, we conclude that 
c G { — 1,1}- Replacing now A with its complement in F p , if necessary, we can assume 
that, indeed, c = 1 holds. Thus, a = ( a , and it remains to notice that this 

yields tr (a(~ k ) G {—\A\,p— |AL|}, whence \A\ = n. □ 

Proof of Proposition 1. We know from Lemma 2 (see also the proofs of Claim 1 and 
Theorem 3) that if A — A = 7 Z p for a subset A C F p then, writing n := |H| and 
a := C°> we l iave V — 2 n(n — 1) + 1, \a\ 2 = n + p, and tr(aC _fc ) G {— n,p — n} 

for every integer k. 

Conversely, suppose that p = 2 n(n — 1) + 1 and that for some a G O we have 
\a\ 2 — n + p and tr(a;(( -fe ) G {—n,p — n} for every integer k. By Lemma 2, there is 
an n-element subset A C F p such that a = ( a ■ Hence, 

£<* = *>= \a\ 2 -n= Y. 

x£lZ p a',a" £ A 

a'/a" 

implying A — A = 1Z P . □ 

Proof of Proposition 2. Consider a prime divisor q of p — 1 and denote by v the power 
to which q divides (p — l)/4; thus, v is either equal, or smaller by 2 than the power 
to which q divides p — 1. Since p = 1 (mod q) and, consequently, p is a square mod 
q. if q is odd, then it splits into two ideal primes in Q(i/p). This conclusion stays 
true also if q — 2 and v > 0: for, in this case p = 1 (mod 8) (see, for instance, 
[IR90, Propositions 13.1.3 and 13.1.4] or [M77, Chapter 3, Theorem 25]). Now the 
decomposition 

= ( n + p)(n- 1 -p) 
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and the fact that n + p and n — 1 — p are co-prime elements of Q(y / p) show that the 
v th power of one of the two ideal primes into which q splits divides n + p, while the 
v th power of another one divides n—l — p. Denote by q the prime whose v th power 
divides n + p; we thus have (n + p) = q v 3, where 3 < O is an ideal co-prime with q. 

Write / := ord p (g), so that q splits into (p — 1)// pairwise distinct ideal primes 
in O and, accordingly, q splits into k (p — l)/(2/) pairwise distinct ideal primes: 
q = qi... q fc , where each q ?; is stable under the subgroup H < Gal(Q/K) of order 
/. Assuming |cc| 2 = n + p and observing that \a\ 2 = «r(a), where r is the complex 
conjugation automorphism of IK, we thus have 

= (27) 

Suppose now that / is even, so that r e H and, consequently, r(q*) = q* for each 
i e [1,1b]. Comparing this with (27) we conclude that the factor q” in its right-hand 
side must split evenly between the two factors (ck) and r((a)); therefore, v must be 
even. This proves necessity. 

To prove sufficiency we invoke the Hasse norm theorem [J73, Theorem V.4.5] which 
says that if K is a cyclic extension of a number held L , then an element of L is the 
norm (from K to L ) of an element of K if and only if it is a norm locally everywhere. 
The reader will see that, in fact, the theorem also gives necessity; however, we prefer 
to keep the simple “elementary” argument presented above. 

Specified to our situation, Hasse’s theorem gives the following. Let IK + be the real 
subheld of IK. For a prime ideal p C 1K + , denote by IK+ the completion of 1K + at p, 
and by IK p the corresponding completion of IK; thus, K p = IKK+. Then, according to 
the Hasse theorem, n + p is a norm from IK to 1K + if and only if it is a norm from IK p 
to 1K+ for every prime p of 1K + , including the infinite primes. 

Accordingly, let p C 1K + be a prime. We hrst show that n + p is always a norm from 
IK p to IK+ whenever p { For notational convenience, we write below IK' 7 := Q(y / p). 

If p is an infinite prime, then it is a real prime and IK+ is the held R of real 
numbers, as IK + is totally real. Furthermore, every real square, hence every positive 
real number, and in particular n + p, is a norm from the quadratic extension IK p = C. 

If P is a finite prime dividing p, then it is unique with this property, and p is totally 
and tamely ramified in IK. Thus the extension IK p /IK+ is a tamely ramified quadratic 
extension. Since n + p is not divisible by p, it is a unit in 1K+, so by [Se79, Chapter V, 
§3, Proposition 5] is a norm from IK p if and only if it is a square modulo p. As the 
residue held of IK p modulo p is F p , this is equivalent to n+p being a square modulo the 
uniformizer y fp of K/Qp, where Q p is the held of p-adic rationals, i.e. the completion 
of Q at p. Now n + p = n — \ (mod y/p), with the congruence in (a localization of) 
the ring of integers of IK' / . At the same time, p = 2 n(n — 1) + 1 implies n — \ = n 2 
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(mod p). It follows that n — \ = n 2 (mod y/p), hence n + p = n 2 (mod y/p), and so 
n + p = n 2 (mod p). 

Finally, if p is a finite prime not dividing p (and also not dividing Sz ^-) ) then the 
extension IKp/lK^ is unramified, in which case every unit of IK+ is a norm from IK p 
[Se79, Chapter V, §2, Corollary to Proposition 3]. But n + p is a unit of K+, as follows 
from the observation that N ¥ y,^(n + p) — is not divisible by p. 

We have thus shown that n + p is always a norm from IK p to IK+ whenever p { 
and it remains to determine when n + p is a norm for the primes p | Fix such 
a prime p C IK + , and let q be the prime in IK' 7 lying below p, and q be the rational 
prime lying below p and q. Also, let q' be the conjugate of q over Q; since q splits 
into two primes in IK' 7 (see the very beginning of the proof for the explanation), we 
have the prime factorization qO K y = qq'. 

Let v p ,v q ,v q >, and v q be the valuations on 1K + , IK' 7 , IK' 7 , and Q, corresponding to 
p,q,q', and q, respectively. Since q is unramified in IK (the only ramified prime in 
IK is p), we may assume that all these valuations are normalized; that is, their value 
groups are Z. 

Trivially, n + p is a norm from IK p to IK+ if lK p = IK+. This happens if and only if p 
splits completely in IK; that is, if and only if the complex conjugation automorphism 
r does not lie in the decomposition group of a prime ^ C IK lying above p. Since the 
Galois group Gal(K/Q) is cyclic, r is its unique involution. Hence for lK p = 1K+ to 
hold it is necessary and sufficient that the decomposition group of tp has odd order; 
equivalently, the inertia degree of q in 1K/Q is odd; that is, the order ord p (g) is odd. 
Thus, if ordp(g) is odd, then n + p is a norm from 1K P to 1K+. 

To complete the proof, we show that for ord p (g) even, n + p is a norm from K p 
to IK+ if and only if v q () is also even. So assume now that ord p (g) is even. Since 
IKp/lK 7 " is an unramified quadratic extension, by [Se79, Chapter V, §2, Corollary to 
Proposition 3], the group of norms from lK p to 1K+ inside (IK+) X is (7r 2 ) x U k +, where 
7r p is a uniformizer of 1K+ (i.e. u p (vr p ) = 1) and U K + is the unit group of 1K+. Thus, 

n + p is a norm from 1K P to 1K+ if and only if v p (n + p) is even. Let p' := ^ 1 be 

the conjugate of p over Q. Observe that 

0 = v q (2n - 1) = v q (2n - 1) = v q (n + p + n + p') > min{u q (n + p),v q (n + p')} 
implies 

min{u q (n + p), v q (n + p ')} = 0, (28) 

and also that 

V 2 ! 1 ) = = V q(( n + P)( n + P')) = V ^ n + P) + V ^ n + P')- ( 29 ) 
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If v q ( ) is odd, then either v q [n + p) is odd, or v q (n + p') = v q '(n + p) is odd; 
hence, either n + p is not a norm from K p to K^", or it is not a norm from K p / to Ky 
for some prime p' of IK + lying above q'. It follows that if v q (^-) is odd, then n + p 
is not a norm from IK to 1K + . On the other hand, if v q () is even, then by (28) and 
(29), v q (n + p) is also even and, similarly, v q >(n + p) = v q (n + p') is even. Therefore 
if v q (^-) is even, then n + p is a norm from 1K P to IK+ for all p lying above q. 

This completes the proof. □ 
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